From 478e7e52cb220075a6c1eb796ca18391189a29ab Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 23 May 2026 21:14:04 +0200 Subject: [PATCH] BUG/MINOR: log: look for the end of priority before the end of the buffer In parse_log_message(), the first loop looks for '>' that finishes the priority field, and unfortunately it stops once it has checked the first byte after the end of the buffer. This means that a priority made only of digits for the whole buffer would read one extra byte. In practice since pools have a tag at the end this is only detectable when using ASAN, but this should be fixed nevertheless. This can be backported to all versions. It's worth noting that RFC5424 now says that the PRI field is 1..3 digits only, so maybe at some point we could seriously limit the length as well. --- src/log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/log.c b/src/log.c index 2a6f4c232..1acc1a0c4 100644 --- a/src/log.c +++ b/src/log.c @@ -5499,7 +5499,7 @@ void parse_log_message(char *buf, size_t buflen, int *level, int *facility, return; fac_level = 10*fac_level + (*p - '0'); p++; - if ((p - buf) > buflen) + if ((p - buf) >= buflen) return; }